The Open Source Project Security (OSPS) Baseline is a community-developed catalog of practical security controls that helps open source projects understand what good security looks like and how to improve over time.
This work is important because free and open source software is everywhere. It has been estimated that up to 96% of modern codebases include FOSS, and the Linux Foundation’s Census III research shows that nearly every industry now depends on it. With this level of reliance, strong and consistent security practices across open source projects are essential.
In this blog, you will learn from multiple talks, a podcast, case study, and FAQs how to use Baseline, see it in action, and understand how it supports healthier and more secure open source communities.
What the Baseline Is
The Baseline brings together guidance from standards like the NIST SSDF, the EU Cyber Resilience Act, and ISO 27001. It turns these into clear, outcome-focused controls that maintainers and contributors can use in day-to-day work.
Each control includes:
- A clear goal
- Practical suggestions for how to implement it
- Links to related regulations and frameworks
- Maturity levels to help projects show progress over time
The Baseline is built to meet projects where they are. It can be adopted early in a project’s life or used later to strengthen existing practices.
Learn Through the Keynotes: “All Your Base Are Belong to Us” and “Supply Chain Reaction: A Cautionary Tale in Kubernetes Security.”
At Open Source Summit North America 2025, Christopher “CRob” Robinson and Eddie Knight introduced the Baseline in a memorable keynote titled “All Your Base Are Belong to Us.”
They showed how common security challenges across open source projects can be addressed through one shared framework. They also highlighted how communities like CNCF, OpenJS, and FINOS helped shape the Baseline.
At KubeCon+CloudNativeCon North America, Stacey Potter (OpenSSF) and Adolfo GarcĂa Veytia delivered one of the most memorable and entertaining keynotes of the week: “Supply Chain Reaction: A Cautionary Tale in Kubernetes Security.”
Through a live-acted security incident, humorous storytelling, and real-world tooling demos, they showed how even well-secured Kubernetes clusters can fall victim to invisible supply-chain compromise, and demonstrated why frameworks like the Open Source Project Security (OSPS) Baseline are becoming essential for every project, not just for critical infrastructure.Â
Learn Through the Tech Talk: How to Use the Baseline
The OpenSSF Tech Talk “How to Use the OSPS Baseline to Better Navigate Standards and Regulations” offers a practical look at how maintainers can use the Baseline in daily workflows.
You will see:
- How the Baseline helps navigate security expectations
- How the maturity levels and categories work
- How tools and CI systems can integrate the Baseline
- How users can evaluate project security more confidently
Learn Through the Podcast: A Deep Dive
For a deeper look at why the OSPS Baseline matters and how it is used, listen to the “What’s in the SOSS” podcast episode featuring CRob (OpenSSF), Ben Cotton (Kusari), and Eddie Knight (Sonatype). They walk through the purpose of the Baseline, how it creates a shared language for software security, and how maintainers can use it to clearly show their project’s security posture.
- Why the Baseline was created
- The community-led process behind it
- How projects can get started
- What the Baseline means for maintainers, contributors, and users
Learn Through Real-World Use: The GUAC Case Study
The Baseline is already being used by real projects.
One example is GUAC (Graph for Understanding Artifact Composition).
Using LFX Insights and the OSPS Baseline, the GUAC team reviewed and validated their security posture in less than an hour. The Baseline helped them quickly see what they were already doing well, what maturity levels applied, and where future improvements could go.
Quick Answers to Common Questions
What is the purpose of the Baseline?
To define a shared starting point for open source security practices.
Does it replace compliance?
No. It maps to standards but does not replace certifications or audits.
Does Baseline conformance expire?
Baseline conformance reflects a moment in time and should include a date and version.
How can I contribute?
Join the GitHub project, Slack channel, and explore the full FAQ.
Where the Baseline Lives
The Baseline SIG, a part of the Open Resources for Baselines, Interoperability and Tooling (ORBIT) Working Group, maintains and improves the Baseline. ORBIT also supports related efforts such as Security Insights, assessment guides, and automation integrations.
Why It Matters
The OSPS Baseline gives the open source community a shared language for security. It reduces confusion, helps maintainers meet expectations, and builds trust between open source projects and the people who rely on them.
When projects follow clear, consistent practices, the entire software ecosystem becomes healthier and safer.
Explore More
- Learn the Baseline: https://baseline.openssf.org
- Watch the Keynotes: https://www.youtube.com/watch?v=rgztBgJY-as and https://www.youtube.com/watch?v=rgztBgJY-as
- Watch the Tech Talk: https://youtu.be/DxiYI79SlIg
- Listen to the Podcast: https://openssf.org/podcast/2025/11/04/whats-in-the-soss-podcast-44-s2e21-a-deep-dive-into-the-open-source-project-security-osps-baseline/
- Read the Case Study: https://openssf.org/blog/2025/08/14/case-study-how-lfx-insights-and-osps-baseline-validated-guacs-security-in-under-an-hour/
- Explore Census III: https://www.linuxfoundation.org/research/census-iii
- Join the ORBIT Working Group: https://openssf.org/groups/orbit/